Transferring Apple services when using federated authentication with Apple Business Manager
When enabling federation within Apple Business Manager there are several services your organization relies on that might need to be transferred from personal Apple IDs to Managed Apple IDs. Below is a list of those services and recommended steps to ensure there is no gap in continuity in accessing those services.
Apple Push Notification service (APNs)
APNs certificates are most commonly used by organizations to enable communication from their mobile device management (MDM) solution to managed devices. The APNs certificate associated with a personal Apple ID can be moved to a Managed Apple ID by contacting Apple. This process can take up to ten business days. No interruption in communication between the MDM solution and the devices occurs when the move to a new account is completed. See Contact Apple for help with Apple Push Notification service certificates
Apple Developer Program
Organizations with Apple Developer Program memberships must create new accounts with the necessary roles for users’ Managed Apple IDs. To do this:
1. Change the username of the existing developer Apple ID to another domain or subdomain that isn’t being federated. Popular personal email services will work for developer accounts.
2. Have the user generate a new federated Managed Apple ID. This can be done by signing into iCloud using Settings on an iPhone or iPad, System Preferences on Mac, or during the initial setup of the device.
3. In the developer account, have another team member send an invite to the newly created Managed Apple ID and assign the appropriate role. For information on transferring the developer Account Holder role to someone else on your development team, see Account Holder Role Transfer on the Apple Developer website.
Note: Command-line services that use a personal Apple ID username and password—like notarization—won’t work with a federated Managed Apple ID. To accommodate those situations, create a Managed Apple ID with the role Administrator or People Manager because accounts with those roles can’t be federated.
Global Service Exchange (GSX)
Approved organizations that self-repair Apple products need to plan their transition and may need to work with the Apple GSX teams, whose email addresses are listed below, along with the countries or regions they cover.
Asia-Pacific countries and regions
email@example.com (for traditional Chinese language support, include Chinese in the email’s subject line)
Access to GSX is limited to approved domains and invited Managed Apple IDs. Before enabling federation, create at least one Managed Apple ID in an approved domain and invite that user to GSX. After personal Apple IDs are removed from the domain, Managed Apple IDs can be created using the same name; these Managed Apple IDs must be invited to GSX. If those individuals have certifications, email firstname.lastname@example.org to have those certifications moved between accounts.
If necessary, you can update account information for your organization by signing in at http://aamt.apple.com/.
If you are asked to update your personal Apple ID, see the Apple Support article If you are asked to update your Apple ID email address.
Apple Online Store
Individuals with access to their organization’s online store must complete the conflict resolution process to update logins affected by federation. If you want to use a federated Managed Apple ID for the online store, complete the following steps:
1. Have the user generate a new federated Managed Apple ID. The user must sign in to iCloud using Settings on an iPhone or iPad, using System Preferences on Mac, or during the initial setup of the device.
2. In Apple Business Manager, change the user’s role to Staff.
3. Contact your dedicated Apple Account Executive and request that a new invitation be generated for the federated Managed Apple ID.